Cybersecurity keeps climbing on the list of concerns that keep the IT manager awake at night. And yet this topic is hardly ever, if at all, discussed on the board of directors. How is this possible, and what can we do about it?
Cybersecurity ranks at the top of the list of many IT managers when asked what they see as the ‘most worrisome’ IT trends. That’s one of the major conclusions from the most recent CIONET survey, which polled over 2.500 European IT managers. And, beyond IT management, cyber risks are entering the Top-10 list from the de Global Risk Management Survey by risk consultancy firm Aon. Last but not least, security was considered as one of the five most important threats on the World Economic Forum.
Wouldn’t you agree that this is enough reason to raise the topic of security to board level? Well, think again: in another survey, held by research agency Ponemon Institute, it appears that 78% of the polled IT managers has not once discussed the topic of security with the board of directors in the course of the past 12 months.
In other words: that very same topic that keeps the IT managers awake at night, is never discussed on the top level of the organization. The very real threats that IT managers and leading organizations observe daily, are not even worth one minute of the management committee’s time.
IT legacy, the blocking factor
How can one explain such contradictory behaviour? There may be several valid explanations, but one obvious one would be this: in Belgium, probably more so than in neighboring countries, problems are -only solved when they arise. As long as the security solution is working and there are no worrying leaks or attacks, we see no reason to invest heavily in a new security environment. New challenges will rather be solved using solutions ‘on top of’ the existing infrastructure than by taking a step back and considering to change the entire security infrastructure.
This conservative and pragmatic “if it ain’t broke, don’t fix it”-approach is still alive and kicking in Belgium. But this leads to a complex, hard to manage and less transparent environment, that makes it harder to detect new potential threats. A missed opportunity, considering that an integrated approach not only leads to a better overview and an overall safer environment, but can also lead to considerable cost savings, as an integrated security infrastructure requires far less management and maintenance.
So what will you do? Are you ready to consider an integrated environment and to compare it with your current infrastructure? Or would you rather wait until you really need to fix it?
Author: Steven Heyde